Cyber incident response (IR) teams have to be prepared for the worst. But most think the worst is data loss or blackmail.
The worst, Canadian cybersecurity strategist Brennan Schmidt says, was having to be part of the incident response team after the 2018 Saskatchewan bus crash that killed 16 people, many of whom were players, coaches and staff of the Humbolt Broncos hockey team.
As he recounted on a panel discussion on incident response during Thursday’s MapleSec Satellite online series, there were a number of things that were unanticipated.
One was the need to get control of the hockey club’s website, email and social media accounts. However, the person responsible for managing the credentials had been killed in the crash. Lawyers had to be involved to solve that problem.
Another was the inability to access the DNS server to the club’s website so it could be used to post information to families and supporters. “We had to buy a domain name folks could get access to,” Schmidt said – but it was hard to find a similar name to the hockey club because, for some reason, they were rapidly being bought by others. Eventually that problem was solved by finding a name that hadn’t been scooped up.
The recollection was one of several panel participants offered to show the importance of incident response teams not only practicing their playbooks, but being imaginative in what’s put in them.
“Expect the unexpected,” said Cat Coode, founder of the Canadian-based Binary Tattoo data privacy consultancy. She pointed to the oft-cited hacking of a casino through an internet-connected thermometer in the building’s aquarium.
For inspiration – and fun – she said, watch 10-year-old movies for ways characters supposedly hacked into IT systems that could be possible now if a company has legacy technology. “Today we protect for the highest-level technology, but if you have something in your building that is even five years old it’s hackable.” Then think about how to mitigate that risk.
Try gamification – a long word for playing games — to get IT staff to think outside the box, she said. “I like to put the onus back on people to come up with ideas.” For example, pretend a password has been hidden by the game leader on a company laptop. The challenge is for staff to think of how to get it.
Staff will come up with ideas leaders haven’t thought of, Coode said.
Similarly, Schmidt said, IR teams should think about recovery strategies for lost access to email, server or Twitter accounts. Games like this will bolster your capabilities, he said.
Asked who should be on the IR team, Coode suggested that in addition to IT members there should be representation from the executive, legal, HR, PR/communications, customer service and privacy departments. Should the organization have cyber insurance coverage, a person from the insurer will be on the team. They may provide legal counsel, she added, or pay for the firm to choose a counsel.
In addition, have contact information for your building’s internet and electric providers.
RELATED CONTENT: More on how to create an IR plan
When developing the IR action plan, start by creating a risk register, said Schmidt: enumerate what is the most important data to your organization in terms of risk or impact should it be lost. “Those that you should focus on should bubble up to the top of the list,” he said. That, then, creates the priorities to focus on in terms of protection and incident response.
That will also lead to consideration of what technologies are needed to prevent data access to the prime data, he said.
As for creating an incident response plan, Coode noted that many IT companies and governments have free online frameworks or playbooks. These should be customized for each organization, she stressed.
“Having a (IR) policy in your back pocket is all well and good, but it’s no help if the organization isn’t actually following what it says,” she said. “To me, the big thing is they’ve been customized and made to work for your company.”
- Incident response advice from the U.S. Cybersecurity and Infrastructure Security Agency
- Incident response advice for small and medium businesses from the Canadian Centre for Cyber Security
As for who should lead the IR team, Coode said “the best person is the most organized, because what you really want during an incident is communications flow. You need someone who can track what is happening, communicate with the IT team, the execs, PR” to make sure what needs to be done gets done. It could be the head of IT, she said, or a project management leader. And there must be a backup leader in case something unforeseen happens, she said.